What does an RBI IT examination check for NBFCs and payment aggregators?

RBI IT examinations cover eight domains: IT Governance (Board-approved IS policy), Information Security (VAPT, patch management, access controls), IS Audit (annual audit by qualified auditor), IT Operations, IT Service Management, Cyber Fraud Risk Management (dark web monitoring, transaction fraud controls), Business Continuity (tested BCP/DR plan with documented drills), and Third-Party / Outsourcing Risk (vendor security assessments, data localisation). Examiners arrive with a standard questionnaire and request evidence for each domain.

How long does it take to prepare for an RBI IT examination?

Allow at least 3 months before your expected examination date. Bachao.AI's engagement takes 10 days for full-scope VAPT, 3-4 weeks for remediation of critical findings, 1-2 weeks for retest and closure certificate, and 4-6 weeks to close IS policy, BCP, or vendor risk gaps. Engaging after the examination notice arrives typically means answering 'in progress' on key examination questions — a worse outcome than a clean report.

Is VAPT required for the RBI IT Framework examination?

Yes. The RBI IT Framework for NBFCs explicitly requires 'periodic vulnerability assessment and penetration testing of IT systems, applications, and infrastructure.' Examiners request the last VAPT report, list of findings, evidence of remediation for critical and high findings, and retest confirmation. Bachao.AI's VAPT package delivers all four evidence items in a format RBI examiners accept.

How much does RBI IT examination preparation cost with Bachao.AI?

Bachao.AI's RBI IT examination readiness engagement is a fixed-fee package covering VAPT, IS policy gap review, IR plan documentation, and BCP/DR review. Pricing depends on asset scope and NBFC size tier. Most mid-sized NBFCs and payment aggregators find Bachao.AI's package significantly cheaper than engaging separate VAPT vendors, IS auditors, and compliance consultants — with faster turnaround and a single point of accountability.

What happens if an NBFC fails an RBI IT examination?

RBI IT examination findings result in a supervisory letter requiring compliance within a fixed timeline — typically 3-6 months. Repeated failures or critical findings can escalate to corrective action directives, restrictions on business activities, or public disclosure of examination findings. Proactive preparation with Bachao.AI addresses the most common examination gaps — IS policy staleness, missing VAPT, untested IR plans — before examiners arrive.

RBI IT Framework — NBFC Compliance 2026

Prepare for Your RBI IT Examination

RBI IT examiners check IS policy, VAPT evidence, incident response, BCP, and third-party risk. Bachao.AI maps every domain to a deliverable so your examination is a presentation, not a scramble.

Prepare for Your RBI Audit →Take the readiness assessment

Who faces RBI IT examination

RBI IT Framework applies across the regulated financial sector — not just large banks.

✓Non-Banking Financial Companies (NBFCs) with asset size above ₹500 crore

✓Upper and Middle Layer NBFCs under RBI's scale-based regulation

✓Payment aggregators and payment gateways under RBI PA guidelines

✓Urban Co-operative Banks under RBI IT Framework

✓District Central Co-operative Banks

✓Prepaid Payment Instrument (PPI) issuers

✓Account Aggregators under RBI framework

✓Housing Finance Companies regulated by NHB / RBI

RBI IT Framework domains → Bachao.AI deliverables

Eight examination domains. Every one mapped to specific evidence that satisfies RBI examiner expectations.

IT Governance

What RBI expects

Board-level IT policy, IT Strategy Committee, IS policy approved by Board annually

Bachao.AI deliverable

IS policy review + gap analysis report · Board presentation template

Examiner question

“Is there a Board-approved IS policy? Was it reviewed in the last 12 months?”

Information Security

What RBI expects

Periodic VAPT, patch management, access control review, network security assessment

Bachao.AI deliverable

Full-scope VAPT report (CVSS v3.1) · Infrastructure hardening checklist · Access control audit

Examiner question

“When was the last VAPT conducted? Were critical findings closed? Is there a patch management process?”

Vulnerability Management

What RBI expects

Documented vulnerability assessment program, tracking of open CVEs, periodic scans

Bachao.AI deliverable

VAPT report with finding tracker · Quarterly scan schedule · Remediation evidence log

Examiner question

“Is there a documented vulnerability management program? How are findings tracked to closure?”

Incident Management

What RBI expects

Documented IR plan, CERT-In 6-hour notification process, incident register maintained

Bachao.AI deliverable

IR plan template · CERT-In notification workflow · Incident log template

Examiner question

“Is there a documented IR plan? Has it been tested? Is there a CERT-In notification process?”

Business Continuity Planning

What RBI expects

Tested BCP/DR plan, RTO/RPO defined, annual DR drill conducted, BCP policy approved

Bachao.AI deliverable

BCP gap analysis · DR drill checklist · RTO/RPO documentation review

Examiner question

“When was the last DR drill? What are the defined RTO/RPO targets?”

Vendor / Third-Party Risk

What RBI expects

Vendor security assessment, data localisation verification, cloud service risk assessment

Bachao.AI deliverable

Third-party risk questionnaire · Cloud security posture assessment (CSPM)

Examiner question

“Are critical vendors assessed for security? Is customer data stored in India-resident infrastructure?”

Cyber Fraud Risk

What RBI expects

Transaction monitoring, dark web monitoring for leaked credentials, phishing monitoring

Bachao.AI deliverable

Dark web monitoring for your domain · Transaction anomaly alert setup · Phishing domain detection

Examiner question

“Is there monitoring for credential leaks and dark web exposure? Are there transaction fraud controls?”

Audit & Compliance

What RBI expects

IS audit by qualified auditor, IS audit report shared with Board IT Committee, open findings tracked

Bachao.AI deliverable

VAPT report suitable for Board IT Committee · Finding tracker with closure evidence

Examiner question

“Is there an annual IS audit? Were Board IT Committee minutes updated with audit findings?”

RBI IT Readiness — 5-question self-assessment

Answer these five questions honestly. Each “No” is a gap that examiners will flag.

Does your Board have an approved Information Security policy reviewed in the last 12 months?

YES →

IS policy governance is in place

NO →

Priority gap — examiners check this first

Has a formal VAPT been conducted on your core banking / lending / payments application in the last 12 months?

YES →

Vulnerability management evidence exists

NO →

High-risk gap — VAPT is a standard examination request

Is there a documented Incident Response plan that includes CERT-In 6-hour notification procedure?

YES →

IR governance meets CERT-In and RBI expectations

NO →

Gap — CERT-In notification is now a legal requirement

Has a Business Continuity / Disaster Recovery drill been conducted in the last 12 months with documented results?

YES →

BCP/DR evidence is examination-ready

NO →

Gap — RBI examiners ask for DR drill records

Are all critical and high VAPT findings from the last assessment tracked to confirmed closure?

YES →

Vulnerability remediation evidence is in place

NO →

Gap — open critical findings are a red flag for examiners

Count your “No” answers. Each one is a gap Bachao.AI can close before your examination.

Discuss your gaps on a free call →

RBI IT examination readiness — full breakdown

What RBI IT examiners actually check during an inspection

RBI IT examinations follow a structured framework across eight domains: IT Governance, Information Security, IS Audit, IT Operations, IT Service Management, Cyber Fraud Risk Management, Business Continuity, and Outsourcing / Third-Party Risk. Examiners arrive with a standard questionnaire and request evidence for each domain. The most common finding at NBFCs: Board-approved IS policy exists but has not been reviewed in 12+ months; VAPT was conducted once several years ago with no subsequent testing; incident response plan exists as a template but has not been tested; DR drills were conducted but not documented. These are the exact gaps Bachao.AI's engagement package is designed to close.

Scale-based regulation: which NBFCs face the most scrutiny

RBI's scale-based regulation framework categorises NBFCs into Base Layer (BL), Middle Layer (ML), Upper Layer (UL), and Top Layer (TL). Upper Layer and Top Layer NBFCs face the most intensive IT examination scrutiny — annual examinations, mandatory IS audit by empanelled auditors, and board-level IT governance requirements. Middle Layer NBFCs face periodic examinations. Base Layer NBFCs have lighter requirements but are not exempt. Payment aggregators are subject to RBI's PA Guidelines (2020) which have their own IT security requirements — including annual VAPT and security audit.

The VAPT requirement in RBI IT Framework — what it says exactly

The RBI IT Framework for NBFCs explicitly requires: 'Periodic vulnerability assessment and penetration testing of the IT systems, applications, and infrastructure.' The frequency is not defined as a fixed calendar period — it is 'periodic', which in examination practice means at least annually for most systems, with quarterly scans for internet-facing applications. Examiners ask for the last VAPT report, the list of findings, evidence of remediation for critical and high findings, and confirmation that follow-up testing was conducted. A Bachao.AI VAPT report package delivers all four evidence items.

Incident reporting to CERT-In: what happens if you miss the 6-hour window

The April 2022 CERT-In direction mandates that covered entities report cybersecurity incidents within 6 hours of becoming aware of them. This applies to NBFCs and payment aggregators. RBI IT examiners now verify CERT-In compliance as part of the incident management domain review — they ask if there is a documented notification procedure and whether any incidents in the previous period were reported on time. Missing the 6-hour window is a finding that goes into the examination report and can trigger follow-up directives from RBI. Bachao.AI's engagement includes an IR workflow template with the CERT-In notification process documented and tested.

Third-party risk and cloud: what RBI checks for NBFCs

RBI's IT Framework and PA Guidelines both include third-party risk management requirements — vendors and cloud service providers that handle customer data or support critical operations must be assessed for security posture. Examiners specifically check for: data localisation (is customer financial data stored in India-resident infrastructure?), vendor security questionnaires, contractual data protection clauses, and right-to-audit provisions. Bachao.AI's Cloud Security Posture Management (CSPM) assessment covers cloud misconfigurations and data residency verification — producing the evidence RBI examiners look for during the outsourcing risk review.

How long before your RBI examination should you engage Bachao.AI

RBI IT examinations are announced with limited notice — typically 2-4 weeks advance notice, or sometimes unannounced for specific targeted reviews. The right time to prepare is not when the examination notice arrives — it is at least 3 months before your next scheduled examination cycle. This gives: 10 days for VAPT completion, 3-4 weeks for remediation of critical findings, 1-2 weeks for retest and closure certificate, and 4-6 weeks to address any IS policy, BCP, or vendor risk gaps identified. Engaging after the examination notice arrives means answering 'in progress' on examination questions — which is a worse outcome than a clean report.

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

Dark Web Monitoring

Credential leak detection, brand impersonation & Telegram scanning.

Learn more →